On April 16, 2021, the Garante per la protezione dei dati personali, the Italian Data Protection Authority (DPA), issued an unfavourable opinion on the use of the SARI Real Time system by the Ministry of the Interior, a real-time facial recognition system aiming to assist the Police Force in the management of public order and safety.

According to the DPA, the system has been designed and developed to function as a mobile solution and “can be installed directly at the location where there is a need for facial recognition technology”. More specifically, “it appears that the SARI Real-time system – which, as things stand, is not yet active – allows, by means of a series of cameras installed in a predetermined and delimited geographical area, to analyse in real time the faces of the persons filmed there, comparing them with a database predefined for the specific service (known as a “watch-list”), which has a maximum size of 10,000 faces.” 

Consequently, “If a facial recognition algorithm detects a match between a face on the watch-list and a face captured by one of the cameras, the system generates an alert that draws the attention of the operators”.

Recalling the recent guidelines produced by the Council of Europe on the use of facial recognition technologies, “which point out the intrusiveness that it entails for the right to privacy and dignity of individuals, together with the risk of negative repercussions on other human rights and fundamental freedoms”, the Italian Data Protection Authority emphasises that these technologies, used for the purposes of prevention and repression of crimes, are ”extremely delicate”. 

In particular, the DPA noted that “It should be considered (…) that Sari Real Time would implement an automated processing on a large scale that may also affect people attending political and social events, which are not subject to ‘attention’ by the police. And even if in the impact assessment presented, the Ministry explains that the images would be immediately deleted, the identification of a person would be achieved through the processing of biometric data of all those present in the monitored space, in order to generate patterns comparable with those of the subjects included in the “watch-list”. This would lead to an evolution in the very nature of surveillance activity, marking a shift from the targeted surveillance of certain individuals to the possibility of universal surveillance.“

“The processing of images aimed at identifying persons in the public context is therefore extremely delicate and an overall assessment is therefore necessary, to avoid that individual initiatives, added together, defining a new model of surveillance introduce, in fact, a non-reversible change in the relationship between the individual and the authorities.”

Besides these concerns, the Authority based its opinion on the lack of legal basis for the deployment of such a system. 

The DPA first explains that “the SARI Real-Time system, insofar as its purpose is to process personal data for the purpose of preventing offences and threats to public safety and, also by delegation of the Judicial Authority, for the investigation, detection and prosecution of offences, falls within the scope of the Decree” and in particular its article 7 which provides that the processing of special data referred to in Article 9 of the GDPR be subject to specific conditions, including that it must be ‘specifically provided for by EU law or by law or, in cases provided for by law, by regulation“.

Secondly, the DPA underlines that “special rules for this type of processing, as compared with the general rules laid down by the GDPR, show that such processing gives rise to a strong interference with the private life of the persons concerned, which must be justified by an adequate legal basis”. However, in its conclusion the Italian DPA found that “there is no legal basis (…) to allow the processing of biometric data in question”. The Data Protection Authority notes that this observation was also recently made in another case, which shares some similarities with the present case. 

Consequently, The DPA used its opinion to underline the fact that the legal basis needed for deploying such a system is “a result of the weighing of all the rights and freedoms involved, [and] must, inter alia, make the use of such systems adequately predictable, without giving such a wide discretion that its use depends in practice on those who will be called upon to dispose of it, rather than on the regulatory provision to be issued.” The DPA highlighted these concerns through the example of the SARI Real-Time’s system watchlists. The DPA explained that “the criteria for identifying the persons who may be placed on the watchlist or those for determining the cases in which the system may be used” raise some question related to “the limits of the techniques in question” as these technologies are intrinsically fallible. According to them, before the deployment of such technology, it should be considered and estimated “the possible consequences for the interested parties in the case of false positives.”